Facebook Fined $5.1 Billion for Cambridge Analytica + Ongoing Privacy Compliance Requirements for 20 Years

The Federal Trade Commission and the Securities and Exchange Commission announced $5.1 billion in fines this week against Facebook for violations related to the Cambridge Analytica scandal. The $5 billion penalty against Facebook by the FTC is the largest ever imposed on any company for violating consumers’ privacy. According to the FTC, it is almost 20 times greater than the largest privacy or data security penalty ever imposed by a government worldwide and it is one of the largest penalties ever assessed by the U.S. government for any violation.

The SEC added another $100 million fine a day after the FTC announcement for Facebook’s shareholder disclosures concerning privacy risks. According to the SEC, Facebook presented the privacy risk as hypothetical in its public disclosures for two years when it knew that a third-party developer had actually misused user data.

As part of the Facebook settlement with the FTC and the Justice Department (DOJ), there will be a new 20 year settlement consent order with a number of requirements for Facebook to follow or face hefty fines. The FTC was able to seek the large penalties for the Cambridge Analytica privacy breach because Facebook had already been under a 2011 consent decree entered into with the FTC due settle a prior investigation into its data privacy practices.

Although the size of the settlement has been criticized by the media and some in the government, FTC Commissioner Chairman Joe Simons defended it in the media conference as a good result, since attempting to get a higher penalty would result in years of litigation and could lead to a lower recovery. The FTC approved the settlement by a vote of 3-2, with the three Republican Commissioners voting in favor of it. FTC Commissioner Rohit Chopra explained on Twitter a number of reasons for voting against the Facebook settlement, including that it doesn’t fix the incentives causing these repeat privacy abuses.

Regardless of the outcome of that debate, companies facing FTC scrutiny as repeat offenders for privacy violations will now have a tougher precedent to contend with from the FTC. The largest fine for a privacy violation by the FTC before Facebook was a $22.5 million civil penalty against Google. The FTC does not have the authority to fine first-time offenders for privacy violations under Section 5 of the FTC Act, at least until Congress reaches a consensus on a new federal privacy law. Companies that are in violation of the upcoming California Consumer Privacy Act (CCPA) after enforcement starts at the latest on July 1, 2020, will have to contend with those penalties for first offenses, however.

The FTC settlement will need to be approved by the U.S. District Court for the District of Columbia.

Here are a few of the requirements in the consent decree:

Privacy Committee:
– New board of directors committee dedicated to privacy issues.
– Composed of independent board members.
– Privacy committee members appointed by independent nominating committee.
– Termination restrictions for privacy committee: only by supermajority of board.
– Quarterly briefing of privacy committee.
– Hiring and firing power for designated compliance officers.

Accountability:
– Quarterly certification of privacy program compliance by CEO and designated compliance officers.
– Annual certification of compliance with overall terms of settlement by CEO and designated compliance officers.
– Individual civil and criminal penalties for any false certification of compliance.

Government Oversight:

Independent Assessor:
– Government-approved assessor to monitor compliance and issue biannual reports
– Requires independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management.
– Prohibits Facebook from making misrepresentations to the assessor.
– Assessor to report to privacy board committee quarterly.

FTC and DOJ oversight:

– FTC can use Federal Rules of Civil Procedure discovery to monitor compliance.

New Privacy Requirements:

– Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data.

– Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.

– Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.

– Facebook must establish, implement, and maintain a comprehensive data security program.

– Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext.

– Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

– Impact assessments on new features or updates.

– Breach notifications to government when it impacts 500+ users